Since fiscal year 2012, we have reported on IRS’s lack of significant internal controls over its own financial reporting systems. We found that IRS made progress in addressing some of the internal control problems we identified, such as restricting unnecessary user access to certain applications and enforcing the use of encryption. The agency also corrected a previously identified contingency planning weakness for one system.

But problems continue to challenge IRS

Despite making improvements, IRS continues to face challenges in correcting previous and ongoing information security control problems in its financial systems that contain taxpayer data. IRS had the most weaknesses in preventing unauthorized access to its systems and proper configuration management (i.e., security features for information systems). For example, IRS has not

By the end of fiscal year 2017, IRS had not fully implemented 117 prior GAO recommendations, and we made 37 new recommendations to address information security control problems for a total of 154 outstanding recommendations.